It’s Not Just Phishing – Other Ways Email Is Exploited – Part 1

Phishing gets all the press when it comes to email account exploits. This is because phishing is the attack vector for over 90% of all cyber-attacks.  But there are other ways that bad actors, cyber-criminals, and state-sponsored cyber-warriors use email that don’t involve phishing at all, and the outcomes of these exploits can be as bad or even worse than phishing.  Today and Wednesday we will take a look at these exploits and learn how they work.

  • Password Hash Replay – When you create a password, it is encrypted using a one-way process called hashing.  The hash is stored on the server you need to authenticate to.  Password “cracking” involves creating hashes of all possible letter combinations until the hash they create matches the has of your password.  But it is also possible to just capture the hash by using a malicious email link and a fake login page, and replay the hash to log into the server.  If this is your mail server, the attacker has just logged into your email account.
    • Solution – use longer passwords, block outbound authentication logons at the firewall
  • Password Spraying – Most brute-force password cracking is done offline. The reason that brute force password cracking will not work online is that most login servers have rules that lock the account after 5 or 6 erroneous attempts in a certain length of time, like a minute.  Password spraying is one way to crack a password online.  It requires a long list of user names and runs all the user names with a single password.  Once the names are exhausted, a different password is tried.  This will generally get around login lockout rules.
    • Solution – Longer passwords coupled with two-factor authentication can help.
  • Web Forms – Often an email link may direct the target to malicious or fraudulent login screens, where passwords may be harvested or malware downloaded and installed on the target’s computer.
    • Solution – Be sure that you are on the genuine website by checking the URL that shows in the browser address bar.
  • Password Recovery – Attackers will use the “I forgot my password” recovery link to recover or reset a target’s password.  These recovery methods are often less robust and easily compromised.
    • Solution – Never truthfully answer the “secret questions” used to reset your password, because it can be very easy to find the answers with a little Google research.  Make something up, and save the answers in your password manager.
  • SMS PIN Recovery – There are exploits that attempt to intercept your SMS two-factor or recovery code.  Sometimes the attacker will try to get you to reply with the code via SMS.  The code should only be entered in a web page.  But sometimes attackers will set up a fake 2FA screen to capture your 2FA code.
    • Solution – Make sure you are connecting to authentic login and 2FA web pages.  Using device based 2FA methods such as the YubiKey or Titan USB authenticator can prevent this exploit from working.

On Wednesday we will look at five more ways that email can be used as an attack vector.


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.